Wired News originated a story
[1] claiming that NAI had quietly
rejoined the KRA, after publicly disavowing it
[2] following its
acquisition of PGP last December
[3]. Here are the facts: NAI
acquired Trusted Information Systems in May 1998. TIS had been a
leader in the Alliance, and its technology was considered to be
among the best solutions in this space. NAI resigned the
leadership posts that TIS had held in the Alliance and continued to
monitor its work, but stopped attending its meetings. The NAI name
still appears on the KRA Web site
[4], as it has since May. There
is no news here. Perhaps Wired was tipped by a disgruntled KRA
member after Network Associates sent a representative to a recent
meeting to suggest that they disband, because Open Source
development provides greater security and assurance than any approach
based on key recovery. The following statement was sent to me by
Jon Callas, CTO of Total Network Security (formerly PGP Inc.) at
Network Associates.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here is the official statement:
"NAI officially withdrew from the Key Recovery Alliance in late
1997. In May of 1998, NAI acquired Trusted Information Systems,
which had been an active member of the KRA. NAI subsequently
reliquished the leadership role TIS had taken in the
organization. NAI Labs' TIS Advanced Research Division
continues to monitor the KRA's activities from a technical
perspective, but Network Associates in no way advocates
mandatory key recovery."
Jon
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0
iQA/AwUBNlC9e335wubxKSepEQJI6wCfSExUUVyfhEO3Nd0xOgu+7gF4SYQAnRBN
35N5BTvab2T8v+PEzhlbzv++
=l7xe
-----END PGP SIGNATURE-----

SecureXpert Labs has discovered a deep and troubling security hole
in the implementation of HTML frames
[5]. All recent versions of
Netscape Navigator and MS Internet Explorer are vulnerable, and any
Web site using frames can be exploited. The "frame spoof"
vulnerability is breathtaking in its scope and simplicity. It represents
not so much a bug in the browsers' code as a flaw in the security
policy they implement.

The bug was announced by Dr. Richard Reiner, CEO of SecureXpert
Labs' parent company FSC Internet. SecureXpert has posted two sample
exploits
[6], one that requires JavaScript and one that relies on
nothing but HTML. Both demonstrate how unauthorized information
can be displayed in the frame of a known and trusted site, such as
citibank.com or disney.com. Here are technical details
[7].

SecureXpert will be working with Netscape and Microsoft on
client-side fixes for the problem, but Dr. Reiner mused to the BugTraq list
that the browser may not be the most appropriate place to patch this
hole.

[S]hould there not be a more deeply
entrenched, more reliable, more open, better audited, better
trusted mechanism of some sort? Our thinking is that leaving
these aspects of security policy to the Web browser software
is a bad thing.

SecureXpert Labs has developed server-side fixes for the frame-spoof
vulnerability, which will be made available first to its paying
clients. Dr. Reiner wrote to me:

We do intend to make a free, general release of at least two
server-side solutions, both of which are reasonably effective
in stopping the known exploits for this vulnerability.

The organization set to inherit dominion over Net naming and
numbering held its first public meeting on 14 November. ICANN anticipated
rough sailing and they certainly encountered it
[8] from an audience
of more than 150. Fewer than one-third raised their hands when
interim chairwoman Esther Dyson asked how many thought that a
concensus on general principles could be reached at the meeting. One
participant, complaining about the secret process by which ICANN's
initial board had been selected, said "The board has sprung as a
virgin birth from some unknown entity." (In fact the "unknown
entity" was the late Jon Postel, as a lawyer working with Postel's
agency IANA explained.) Dyson asked the meeting, "How many think
ICANN is an out-and-out fraud and are here to try to stop it?" Only
a few hands went up, but someone shouted, "Could you separate those
questions?" This meeting indicates how hard it will be for ICANN to
find common ground in the naming transition -- a process rendered
vastly more fraught by the death of Postel, the resignation of the
Network Solutions CEO
[9], and the imminent departure from the
Clinton administration of Ira Magaziner
[10], one of the few visible
White House staffers who has a clue on the Net. The ICANN board will
hold a second public meeting in Brussels on 25 November; the
European Commission will host.

Was it
[11] spam? It's a grey area. The recipients were customers
of the sender, Network Solutions, and it might be claimed that an
unsolicited emailing to customers could not be objectionable. But
this mailing had a few points against it that shade it over into
the black end of grey. Let's call it c-spam -- customer spam.

The email claimed that the recipient was now on a list to
receive an email newsletter, and needed to opt out if this was
unwanted.

No mechanism was given, and none is believed to exist, to opt
out of all such future mailings.

Network Solutions currently has no competition for
.com/.net/.org names -- disgusted customers have no recourse.

Paul Vixie, proprietor of the Realtime Blackhole List[12],
[13],
posted a request for commentary
[11] to NANOG: Should he blackhole
netsol.com? If 208.226.58.70 were entered onto the RBL, the domain
would suddenly become invisible to large portions of the Net. (Note:
internic.net would not be affected by such an action.) One poster
commented that the usual means of fighting spam don't work in this
case: one can't complain to NetSol's upstream provider and request
that its connectivity be yanked. Another pointed out that if NetSol
got sufficiently annoyed with Vixie they could simply deactivate
vix.com and put him out of business.

At this writing the debate is still rolling on NANOG, Vixie is in
discussions with NetSol sales/marketing management, the domain is
not blackholed, and NetSol has agreed to hold off any further
mailings until the discussions conclude.

A favorite sport among the geeks who frequent slashdot.org is
speculating on the nature of the product Transmeta is developing
[14].
Their curiosity is understandable as the father of Linux, Linus
Torvalds, works there. Now the ultra-secretive company may have
offered the first glimpse of its technology, courtesy of a patent
[15] issued earlier this month. Somewhat mysteriously titled
Memory controller for a microprocessor for detecting a failure of
speculation on the physical nature of a component being addressed,
the patent reveals a chip that can translate Intel instructions into
a more advanced format, VLIW (Very Long Instruction Word). It should
run Windows faster than anything yet seen on the planet. It could
also be highly efficient running Java or RISC processor code.

Some have speculated that the microprocessor is reverse-engineered
from alien technology. This news.com story
[16] catches an industry
analyst in mid-quip:

This is not your mother's x86.

Here are two summary readings and explications of the patent
[17],
[18], in order of comprehensiveness. I can't vouch for either
author's technical chops but I know both writeups leave me in the
dust after paragraph 1.

The Digital Millenium Copyright Act, which was signed into law
last month, requires
[19] all ISPs to register with the Copyright
Office and to name a designated contact for complaints of
copyright violation. The rules are only an interim step in the new
law's implementation; regulators will draft permanent rules and
host a public comment period within the next several months.

The I2O Special Interest Group is developing specifications for an
advanced I/O subsystem. On 4 November the group announced
[20] that
it had made version 1.5 of the I2O spec publicly available to all
product developers at no cost. This announcement lays to rest
year-old fears
[21] that the I2O Consortium might use its closed
membership roster and non-disclosure terms to hobble Linux implementation
of the I/O system, especially on Intel's Merced chip. Here is
discussion of the I2O development on Slashdot
[22].

On 16 November, Los Angeles television station KCOP posted on
its Web site a piece titled Rockets Red Glare (no longer up as
far as I can determine):

A British submarine now lurking off Newport Beach will fire
unarmed Tomahawk cruise missiles toward the Mojave Desert.
The British, notwithstanding their rich naval history, have
neither the experience nor the tracking stations to launch
cruise missiles within the United Kingdom and they've never
launched a Tomahawk. U.S. Navy experts will be helping the
crew of HMS Splendid during the test. The British government
is buying 65 Tomahawks in a $320 million deal.

The British were not saying how many missiles they planned to test.
The missiles were to fly 80 miles, hugging the terrain 200 feet
over suburban Los Angeles, to the Mojave Desert west of Edwards
Air Force Base. Must have been impressive. Our British cousins
thought, perhaps, that the Angelinos would mistake the Tomahawks
for daylight Leonids
[23].